The security software landscape

More than 700 security software companies deal with one aspect or another in the broad category of information security. It is impossible (not necessary and not very interesting) to review what these companies do and what they address. More interesting is to quickly look at a grouping of technology seg-ments into layers—each layer securing the corporate entity from different threats. The glue that binds all of these layers is the corporate security pol-icy that defines the rules, procedures, and processes that aim to protect against and respond to security threats.

2.2.1 Authentication, authorization, and administration Commonly known as the 3As, authentication, authorization, and adminis-tration refers to any layer of security that determines who is attempting to access the resource and whether that entity has the authority to access the Figure 2.1

Defense-in-depth strategy: multiple layers can be compromised without causing significant damage.

2.2 The security software landscape 39

Chapter 2

resource. Authentication can challenge the user for something they know (a password), something they have (a token), or something they are (biomet-rics). Authentication methods and technologies include passwords, PKI, SSL digital certificates, tokens, smart cards, and biometrics. Authorization software determines which resources a user is entitled to use. Administra-tion software focuses on centralizing the management and administraAdministra-tion of permissions and privileges. In this area the most visible software products are the single sign-on (SSO) and identity management products that help you set up and provision users and then allow users to gain access to multi-ple resources and applications through a single point of entry.

2.2.2 Firewalls

Firewalls are focused on hardening the perimeter of the corporate network and protecting critical junctures such as the connection to the Internet, extranets, and even segmenting the corporate network into multiple protec-tion domains. The principle use of firewalls is to keep unauthorized users off the corporate network. Firewalls have been around for a long time and probably exist in every single company in the world. In fact, not using a firewall can be viewed as gross negligence or attempted IT suicide.

2.2.3 Virtual private networks (VPNs)

VPNs came about when the Internet evolved to become the ubiquitous net-work it is today and allowed companies to start using it when they needed to bridge remote offices and allow mobile workers to have access to the internal company network. VPNs are often viewed as extensions to firewalls (and are often sold by the firewall vendors) that provide secure remote access to the corporate network. VPNs provide authorized remote users with secure access to the corporate network and in effect allow you to securely punch holes through the firewall. VPNs are present in most organi-zations and allow people to work from home, work when they are traveling, and work in remote offices, all while having fully secured access to the inter-nal corporate network. For more on VPNs, refer to the end of Chapter 3.

2.2.4 Intrusion detection and prevention

Firewalls provide a first layer of defense but are shallow in terms of what they look at. Intrusion detection and prevention help you address threats within the perimeter as well as within the internal network and are based on a deeper inspection of the communication streams and on patterns of

40 2.2 The security software landscape

attack. These systems are either based on libraries of signatures that are used to identify a malicious event or on creating a baseline of normal behavior and inspecting for any change from this normal behavior.

2.2.5 Vulnerability assessment and patch management Vulnerability assessment tools help you inventory and audit your servers and applications and compare them with known flaws and vulnerabilities.

This process allows you to proactively improve configurations and harden your infrastructure. Once you discover that you can harden your systems, patch management solutions help ensure that this takes place.

2.2.6 Security management

Because security has become such a complex issue, and protecting your infrastructure has become a serious and mandatory activity, many software products can help you manage the process and centralize relevant informa-tion. This category of software products includes Security Information Management (SIM) products that help you aggregate security information, correlate data, and report. They also help you manage security systems, incident response systems, and, going broader, security and corporate gov-ernance tools.

2.2.7 Antivirus

This is probably the most visible type of security product, and we all know it well from personal use (those of us who have been infected by a virus actually know it better than we would have liked to). This layer of security focuses on protecting users from malicious code (malware) including viruses, worms, Trojans, and so on. Antivirus software can be packaged in many forms: network antivirus software, antivirus in e-mail gateways, desk-top antivirus, and so on.

Beyond antivirus, information filtering technologies help you maintain control over the content that traverses your networks. This is a separate cate-gory of security software, but because it is often deployed at the same access points at which antivirus software is deployed, the products often converge.

As an example, e-mail filtering often provides antivirus, spam prevention, and content inspection that can prevent restricted material from being dis-tributed (maliciously or accidentally) outside of the organization.

2.2 The security software landscape 41

Chapter 2

2.2.8 Cutting across categories

It is interesting to note that database security does not fall directly into any one of these categories. In fact, as you’ll see throughout the rest of the book, database security includes aspects that belong to every one of these layers. As an example, we will discuss authentication, authorization, and identification in Chapters 4 and 6 and will look at database firewalls and intrusion detection in Chapter 5. Even the category of virus protection is somewhat relevant: Chapter 3 talks about various worms that have used the database to wreak havoc on network infrastructure, and Chapter 9 discusses database Trojans.

It is also important to understand that because databases are complex and specialized servers, and because communications with databases use SQL (a highly complex and rich procedural, declarative, and control lan-guage), any attempt to address database security with generic software solu-tions such as generic firewalls, IDSs, and IPSs is bound to be partial and thin. This has been tried many times in the past and has always failed.

Without a true understanding of what the database is being asked to do, all of these layers can only provide protection at a rudimentary level that does not really protect the database. It is akin to trying to replace the body’s immune system with a set of goggles, a mask, and latex gloves, not account-ing for the fact that the body is a complex organism, that many thaccount-ings do need to enter the body (e.g., food), and that the same intake can be good or bad depending on when it is received, from whom, and what state it is in.

From a security market categorization perspective, database security def-initely cuts across multiple security domains. The jury is still out regarding where database security fits from a market perspective and from an owner-ship perspective. It is not yet clear whether database security products will eventually be addressed by the database vendors (e.g. Oracle, IBM, Sybase, Miscrosoft) and database-product vendors such as Quest, BMC, or by secu-rity vendors such as Symantec, Cisco, CA, and Check Point. It is also still unclear whether database security will (with time) become the responsibil-ity of the information securresponsibil-ity group or remain completely within the responsibilities of the DBA. One trend that may be an indication is the way the application security space is evolving. Application security focuses on creating a security layer for applications, mostly for Web applications. It understands HTTP transactions, URLs, cookies, and HTML pages and also cuts across categories by providing application firewalls, application vulnerability assessments, and more. Clearly this space is being engulfed by the security world rather than the application servers and tools providers.

42 2.3 Perimeter security, firewalls, intrusion detection, and intrusion prevention

2.3 Perimeter security, firewalls, intrusion